last modified: Nov 2023
my CTF writeups

overall useful website/tools

– web –

– rev –

  • to disassemble bytecode online
  • fernflower to decompile java bytecode, made by JetBrains
  • angr to get solution of input or sth

–misc –

  • z3 to find solution under constrains
  • dcode to decode anything

–forensics / osint –

– crypto –

– pwn –

  • to check binary security properties
  • gef very useful GDB plugin
  • pwntools utility for pwn in python

– I don’t know where to put –

  • gtfobins to search for binaries that can be used to get root shell under certain conditions
  • to generate reverse shell code
  • PEASS-ng to enumerate windows/linux privilege escalation


DOM Clobbering


  • CSS Font Cascading People can use unicode-range to do cascading.
  • Font side-channel Font Review BuckeyeCTF 2023 - use linguistics to make page overflow in order to leak the flag char by char.
  • STTF reference, basically, use :target in style in order to send request if the scroll to text fragment part is matched.

NoSQL Injection


JSDom jail

python jail / pyjail

CORS bypass

  • makes-sense ASIS-ctf-qual 2023 use shadow dom to let inside iframe access parent‘s document by shadowContainer.attachShadow. Basically is let e.source in window.onmessage = e=>(e.source == top && e.source.length == 0 ? eval( : '') is not undefined.

CSP bypass

JavaScript Jail

  • inside of function: use var process=this.constructor.constructor("return process;")(); to get process object. Then use var require = global.require || global.process.mainModule.constructor._load;, the script here spawnSync.js, or even this.require to get RCE.


find solution under constrains

Use z3-solver, e.g. based emoji hackasat qual 2023


Angr to find solution for input